Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSEC Radius IP Assigment

    Scheduled Pinned Locked Moved IPsec
    14 Posts 6 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djamp42
      last edited by

      Is it possible to have radius give out IPs for users connecting via mobile IPSEC?  I have the authentication part working, but it seems no matter what settings we try pfsense does not give the assigned ip address to the user. This is with StrongSwan. 2.2.4.

      I am using IAS for Radius, just wondering if anyone got this working.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

        In normal the VPN device is giving the new IP addresses to the IPSec clients and then the Radius
        Server is authenticating the VPN clients over the certificates.

        I have the authentication part working,

        Ok this would be the hardest part as I see it right. If this is working it is only a
        smaller tut for you to read and then you will be have it up and running well.

        but it seems no matter what settings we try pfsense does not give the assigned ip address to the user.

        Pleas see under the Link how to solve this out and enrich this by setting up the Radius Server address
        in the IPSec settings! Please read this tutorial

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          @djamp42:

          Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

          Not currently.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            MaxHeadroom
            last edited by

            It is possible but not via GUI and this option get lost on restart ipsec over GUI (```
            ipsec reload

            
            With this entry it works
            

            rightsourceip=%radius

            
            So maybe someone can add this option to the GUI:
            
            VPN: IPsec: Mobile
            ->Virtual Address Pool as add point
            
            best regards
            1 Reply Last reply Reply Quote 0
            • M
              MaxHeadroom
              last edited by

              Hi
              i patched my/etc/inc/ipsec.incthat if in Phase1 Auth.  method is EAP-RADIUS and in Mobile clients setting virtual address pool is not checked add ```
              rightsourceip=%radius

              
              For me it works now with a Android + strongSwan APP (IKEv2 EAP) and it  gets the ip from freeradius
              
              best regards
              
              [vpn.inc.zip](/public/_imported_attachments_/1/vpn.inc.zip)
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Can you post that as a text diff, rather than a .zip? I'd like to try it but I'd rather not replace the entire file.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  ajrg
                  last edited by

                  This is an interesting patch - I would also be interested in the diff!

                  1 Reply Last reply Reply Quote 0
                  • A
                    ajrg
                    last edited by

                    @MaxHeadroom:

                    gets the ip from freeradius

                    While I'm thinking about it - with this patch, are you defining IP addresses for already existing (on pfSense) networks? Only reason I ask is that you are turning off the virtual network option.

                    1 Reply Last reply Reply Quote 0
                    • M
                      MaxHeadroom
                      last edited by

                      Hi,

                      sorry for the delay, here is the Patch for IP getting from the radius and no they are not already existing networks on the pfsense. It only that the radius server submit the ip .

                      I also have a second Patch same like first patch + change from IKEv2 EAP to IKV2 Certificate +EAP just add rightauth2 and change a little bit  for the generate of```
                      /var/etc/ipsec/ipsec.conf

                      
                      I havn't changed the selectable name on the Gui, maybe it is better to add another option ? (better someone who is already knowing how this stuff works can do this )
                      
                      With both patches the IPSec tunnel is working with  IPSec Freeswan on Android very well.
                      For security reason i like certs also on client  8) 
                      
                      Oh sorry i forgott to say: you have to unset **virtual address pool** for the static  ip from radius (Don't forget to set a user ip on the radiusserver!)
                      
                      BR
                      markus
                      
                      [vpn.inc.patch.zip](/public/_imported_attachments_/1/vpn.inc.patch.zip)
                      [vpn.inc.patch2.zip](/public/_imported_attachments_/1/vpn.inc.patch2.zip)
                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        The second thing would definitely needs its own, separate GUI choice since it isn't compatible with the current eap-radius selection.

                        The IP address pulling bit works OK, though I was disappointed to find that it doesn't look like strongSwan has a way to fall back to a local pool if there is no IP address in RADIUS. There is a way to specify multiple items in rightsourceip but it ends up using both at all times, not one then the other. For example if I use "%radius,x.x.x.0/24" it gives an address to the user from both RADIUS and the local pool.

                        I committed a variation of the IP address part here:
                        https://github.com/pfsense/pfsense/commit/86330e2b9ba85930a15a2cbd5ef7e7c3d0b3f814

                        The only negative side effect is that it would not allow someone to configure eap-radius and omit the pool entirely (hardcode IP addresses on the client) – I can't imagine anyone wanting to do that, but maybe someone does. Might still need a GUI checkbox.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • A
                          ajrg
                          last edited by

                          Sorry for the slow reply - running this patch on my home box and it works brilliantly, so thanks!

                          Out of interest, is this something that is likely to end up in the release, further down the road?

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            It's already in for 2.2.5 so it will be in a release shortly.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • A
                              ajrg
                              last edited by

                              Great stuff! :D

                              1 Reply Last reply Reply Quote 0
                              • D
                                dcandea
                                last edited by

                                Hi

                                I managed to make it also work with Mutual RSA and Xauth. Strongswan has support for xauth-radius

                                replace line

                                $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
                                

                                with

                                $rightsourceip = "\trightsourceip = %radius\n";
                                

                                and

                                $authentication .= "\n\trightauth2 = xauth-generic";
                                

                                with

                                $authentication .= "\n\trightauth2 = xauth-radius";
                                
                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.